Half of our customers tell us that security is their #1 spending priority for 2017. (Source: Red Hat Global Customer Technology Outlook, 2017.) With our reliance on digital transactions and tools--and our propensity to connect absolutely everything to the internet--we’re increasingly vulnerable. New kinds of attacks target everything from routers to VCRs, and branded vulnerabilities only make it harder to tell what’s really critical.
This year, there are more than 40 sessions, labs, and talks on security at Red Hat® Summit. Our security experts are available to answer questions and demo software in the Partner Pavilion. Those who are a little more adventurous can try a security game show, learn through roleplay, or test their infosec skills.
IT’S ALL FUN AND GAMES (UNTIL SOMEONE GETS HACKED)
The Partner Pavilion houses Participation Square, where attendees can get their hands (and brains) on some interactive activities, several focusing on security. Crob (pronounced “krobe”--more about him later), a security program manager at Red Hat, took a break from session talks to run a quiz-style show around security topics. Crob tested participants’ knowledge of exploits and OSS with topics like In the News!, Hope or Hype?, and Branded Flaw or OSS Project?.
Crob, a security program manager at Red Hat, runs a quiz show around security topics.
Attendees can also test their sysadmin mettle in the Break-Fix Challenge. Using the information available in Red Hat Customer Portal, contestants must solve a product-specific problem. SELinux failure? Broken system? Logging errors? Those who find the fix the fastest win prizes--and get their name on the leaderboard for all to see.
These educational competitions will continue throughout Summit, so if you’re on site, stop by the Partner Pavilion and see how your skills stack up.
THE SECURITY LIFESTYLE
As Red Hat technical manager Mark Thacker points out, “Security is not really a technology, it’s a lifestyle.” Though Red Hat does not sell any products that focus solely on security, it influences every decision and is built into every solution.
Thacker, in his security roadmap session, focused on 3 IT security trends:
- Creating secure foundations
- Deploying hybrid clouds
- Implementing security compliance and automation
For those who caught the keynote from Red Hat’s executive vice president of Products and Technology, those themes might seem familiar.
BUILDING A SECURE INFRASTRUCTURE FOUNDATION
All Red Hat products are built in a consistent, repeatable, and transparent way that includes packaging, testing, verifying, and delivering the components with security concerns at top of mind. Red Hat Enterprise Linux® and all products sharing its codebase contain many common security elements.
As IT evolves, trends in infrastructure and identity management (IdM) could include:
- Unifying cryptographic policies.
- Hardware root of trust like TPM (2.0) for storing secrets.
- White-listing for utilities and apps to reduce risk.
- Specific device authorization per device, class, user, or location (USB guard).
- IdM integration and automation with middleware, public key infrastructure, and Ansible.
- More secure data store with application programming interface (API) access (Trusted Platform Module (TPM), Custodia).
MAINTAINING SECURITY IN HYBRID CLOUD ENVIRONMENTS
Hybrid cloud deployments and infrastructure can also share consistent policies and elements--especially since they use many of the same components. SELinux, for example, can also protect virtual machines (as sVirt). And Linux provides consistency when it acts as container OS or container host.
Containers also provide isolation, and content scanning and image signing can ensure what’s inside is appropriate for your environment. Thacker also noted that the container health index--now part of a Red Hat subscription--can help evaluate the freshness of a container image.
A great deal of work is also happening around storage and security for cloud deployments, including:
- Network-bound disk encryption.
- Secrets-based protocols for containers.
- Trusted execution environments.
- Reduced attack vectors by changing platform behaviors.
AUTOMATING SECURITY COMPLIANCE
Complexity, at the best of times, breeds automation and standardization. Open standards and tools from OpenSCAP can help scan and evaluate systems based on a security profile. Certifications, like CC and FIPS, give you confidence that our products meet rigorous standards. And management products, like Red Hat Insights and Red Hat CloudForms, can identify and prevent out-of-compliance components from executing.
More than that, our dedicated security team provides rapid responses to known vulnerabilities, which anyone can evaluate in the risk report we publish each year. There’s even a vulnerability API that lets you query the remediation database.
As we deal with more and different systems and their security needs, Thacker expects we will see:
- Smarter responses to branded issues. As Thacker and Crob both noted, just because an issue has a logo does not mean it is critical.
- Increased common logging across platforms.
- More OpenSCAP profiles.
- More products patched on day 1, as monitoring and automation become more common.
RED HAT OPENSTACK PLATFORM
Keith Basil and Nathan Kinder also presented a security roadmap, but one specifically tuned to those building private cloud infrastructure with Red Hat OpenStack® Platform. They emphasized the need for security as a pervasive part of the process, illustrated by the continuous cycle:
Design → Build → Run → Manage → Adapt → Design
Basil emphasized that this circular process (including security remediation) is fully integrated with the build process for Red Hat Enterprise Linux OpenStack Platform and its continuous integration life cycle.
Nathan Kinder shared a process cycle for requesting an OpenStack virtual machine (VM), to illustrate the complexity of OpenStack services. “Each of these components,” Kinder said, “is an actor. All of these different services in OpenStack are talking to each other over open APIs. How do they know that they are who they think they are?”
The many components of an OpenStack environment present a lot of attack surfaces. This means that compliance is a full-stack exercise--each piece must be protected. With so many compliance bodies around the world, the Cloud Security Alliance (CSA) created the cloud controls matrix (CCM) to help classify security-related topics and map them across various groups.
Red Hat uses the CCM and analysis of the top compliance initiatives within OpenStack to plan an agile approach to improving security features. Current top initiatives include infrastructure and virtualization, identity and access management, encryption and key management, and threat and vulnerability management.
WHAT HAPPENS WHEN IT ALL GOES WRONG?
Crob, of game show fame, also had a interactive security session at Red Hat Summit. He began by defining vulnerabilities in entirely human terms: “In the world, all software is created by people. People make mistakes, and therefore there are flaws in software. Sometimes good people find them, sometimes they don’t.”
With facts from a executive summary of Verizon’s Data Breach Investigations Report, he emphasized that breaches were not just a problem for high-value targets, or the result of a clever evil-doer. In fact, 63% of all attacks in 2016 were the result of password guessing or reusing credentials.
Crob also noted that timing is important, and that 84% of breaches take months to years to discover.
He outlined the basic steps of handling a breach by following the acronym PICERL:
Prepare
Identify
Contain
Eradicate
Recover
Lessons learned
Crob then introduced his fictitious company, SportsBall.com.org, and its cast of characters: a charismatic but not-technical CEO, a product manager for the company’s web-based SPortal! (with the exclamation mark), and a security architect. One audience volunteer acted as the IT admin, and the rest would portray the ever-questioning board of directors.
Crob used this winding tale--with appropriate apologies to Faulkner, a bunch of internet cats, and wit--to describe the kind of security scenario an inexperienced upstart web company could face.
When the CEO’s secretary innocently clicks on an amusing cat video, the story is set in motion. As Crob explained, “Malware can come in many forms. Infected image files and video files are a popular new vector.”
Through a series of questions and conversations, Crob guides his motley company through multiple waves of a breach experience. At first, lax account policies and a video that seems to forward itself don’t seem like much of a problem. Neither the CEO (whose laptop could be the culprit) nor the product manager (who has an important for-fee service update for their customers) seem concerned.
However, ignoring the problem doesn’t make it go away, and it continues to escalate. Customers start getting invoices from the not-yet-released for-fee service, unusual network traffic is hitting payroll and invoicing, and the CEO’s workstation is eventually encrypted for ransom. THAT he does consider a problem.
Crob uses this story to probe the audience for the questions they should ask when considering their security policy. Things like:
- How would you know if something was going on?
- Do you really know what your user permissions are?
- What are you doing for spam filtering protection?
- Do you know what your baseline network traffic looks like?
- Do you have a response plan?
- In your response plan, will you isolate to prosecute or eradicate to restore service? (You can’t usually do both.)
Eventually, Crob takes pity on his poor beleaguered SportsBall.com.org “employees,” and reveals the root cause of their troubles: Video displays in the office were attached in the clear to the office network, and their software was very old, easily exploited, and the culprit behind the network intrusion.
SECURITY IS CONTINUOUS AND CULTURAL
Bruno Oliveira, speaking to a group of attendees in an afternoon Birds of a Feather (BoF) discussion session about improving security, echoed Crob: “I believe that security is not only about tools, but about people.” His co-host, William Henry, added, “If you have a good process in place, in the pipeline, you can create standards.”
Though the approaches were different, the message about security was clear: The technology is there--or on its way. Standards and compliance bodies are plentiful. The missing ingredients for many organizations are process, education, and culture.
The good news? These are all things that can be gained by collaborating with others, listening to their experiences, and learning from them. Which just happens to be what we do every year at Red Hat Summit.
If you’re at the Summit, don’t miss the remaining security sessions and activities. And if you can’t join us in person, you can watch live keynotes and interviews from the Summit website.
저자 소개
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.
Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.